Debian GNU/Linux Fixes Dangerous TCP Flaw In New Update

Short Bytes: Last month, computer scientists discovered a serious flaw in Linux kernel that allows hackers to hijack your internet connection and terminate the communication between two machines. This flaw also affects about 80% Android smartphones. Now, Debian GNU/Linux has released a series of fixes that address this issue by increasing the “rate limit for TCP Collect ACKs.”

In mid-August, we told you about a critical flaw in Linux kernel that affected Linux kernel 3.6 and beyond. If exploited, this flaw allows a wide range of malicious blind off-path TCP attacks that have the power to compromise the security of a Linux user.

Now, maintainers of Debian GNU/Linux have patched this TCP spying flaw, which is a welcome development. In its latest security advisory, Debian patched several bugs in the Linux kernel that may lead to denial of service, hacking via escalated privileges, and more. Let’s tell you more about these bugs and their patches:

CVE-2016-5696: Spotted by University of California Riverside’s Zhiyun Qian and his collaborators, this is the above-mentioned TCP flaw. It deals with the faulty implementation of TCP Challenge ACK feature in Linux that may allow remote attackers to find TCP connections between two specific IP addresses and to inject malicious code in those connections. Debian project writes that it could be mitigated by increasing the rate limit for TCP Collect ACKs.

CVE-2016-6136: Discovered by Pengfei Wang, it’s a ‘double-fetch’ or ‘Time-of-check to Time-of-use (TOCTTOU)’ bug. Pronounced “TOCK too“, it is a software bug that’s caused due to changes in a system between the checking of a condition and the use of the results of that check. By exploiting this bug, an attacker can create misleading log entries. Overall, it has limited impact.

CVE-2016-6828: Triggered by local users, this ‘user-after-free’ bug in the TCP implementation can cause the denial of service and privilege escalation. However, the exact security impact of this bug is unknown.

If you are using a stable distribution based on jessie, these issues have been fixed in the version 3.16.36-1+deb8u1. This update also brings along multiple changes that were intended for the upcoming jessie point release. We advise you to upgrade your Linux packages.

What makes CVE-2016-5696 bug so dangerous?

CVE-2016-5696, the most dangerous of these bugs, was labeled medium (attack range: remote) on NVD severity scale. This issue was fixed by Linus Torvalds himself. In his GitHub commit, Torvalds writes that “host rate limiting of challenge ACKS (RFC 5961) could leak enough information to allow a patient attacker to hijack TCP sessions.”

When this research was presented at Usenix security conference, the researchers also showed that TCP implementation could be exploited to uncover TOR users by forcing them to exit through particular exit relays.

To send and receive information, Linux and other operating systems make use of the Transmission Control Protocol (TCP). To ensure that the information reaches the intended destination, an IP address is used. By exploiting the TCP flaw, a hacker can deduce the TCP sequence number and track the online activities of the users. You’ll be surprised to know that such attack is very fast and takes place in less than 60 seconds with a 90% success rate.

Few days after this bug was revealed, the security firm Lookout checked the latest build of Android Nougat and found that its kernel wasn’t patched against the flaw. As a result, this bug leaves 80 percent of Android smartphones vulnerable.

While such targeted attacks are not easy to carry out, such developments raise serious security concerns. To keep yourself safe, apart from keeping your systems updated, you are also advised to encrypt your internet traffic and use VPN.

Did you find this article helpful? Don’t forget to drop your feedback in the comments section below.